Publication Date: 2017-06-30 | Views: 427 | Downloads: 0 | Author: a84079237 | Document ID: EKB1000713483
After he configured the VPN tunnel, VPN session is up but there is no data-flow and if he pings from the local site to the remote site the security policies are not triggered. The device is USG6300 V500R001C30SPC100
As we can see in the diagnostic output there are no encripted packets exchanged :
IPSec
policy name: "ipsec2031157295"
Sequence number : 1
Acl group : 3003
Acl rule : 5
Mode :
ISAKMP
-----------------------------
Connection ID : 15
Encapsulation mode: Tunnel
Tunnel local : 62.159.X.X
Tunnel remote : 80.X.X.X
Flow source : 192.168.X.X/255.255.255.0
0/0
Flow destination : 192.168.X.X/255.255.255.0 0/0
[Outbound ESP SAs]
SPI:
4074064461 (0xf2d54a4d)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/968
Max sent sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes):
0/0
[Inbound ESP SAs]
SPI:
2788767083 (0xa639356b)
Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128
SA remaining key duration (kilobytes/sec): 5242880/968
Max received sequence-number: 1
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 0/0
Anti-replay : Enable
Anti-replay window size: 1024
I have checked first the tunnel to confirm that it is up:
===============display ipsec tdbentry===============
Interface: GigabitEthernet0/0/7
-----------------------------
IPSec policy/profile name: "ipsec2031157295"
Sequence number : 3
Acl group : 3003
Acl rule : 5
Mode : ISAKMP
-----------------------------
Tunnel local : 62.X.X.X
Tunnel remote : 212.X.X.X
Flow source : 192.168.X.X/255.255.255.255 0/0
Flow destination : 10.4.X.X/255.255.252.0 0/0
Inbound tdb flag : Ready
Outbound tdb flag : Ready
Anti-replay : Enable
Anti-replay window size : 1024
Fragment Before-encryption: Disable
I have checked if the ACL is correct:
acl number 3003
rule 5 permit ip source 192.168.X.X 0 destination 10.4.X.X 0.0.3.255
Since until here everything
is configured ok and the tunnel is up, next step is to check traffic flow by displaying the firewall session table verbose source inside :
display firewall
session table verbose source inside 192.168.X.X
2017-06-28 14:18:02.489 +02:00 DST
Current Total Sessions : 1
icmp VPN: public --> public
ID: a48f34e8c0b703f0f5953b367
Zone: trust --> untrust TTL:
00:00:20 Left: 00:00:18
Recv Interface: GigabitEthernet0/0/1
Interface: GigabitEthernet0/0/7
NextHop: 62.159.X.X MAC: 0000-XXXX-XXXX
<--packets: 0 bytes: 0 --> packets:
369 bytes: 22,140
192.168.X.X:1[62.159.X.X:2048] -->
192.168.X.X:2048 PolicyName: VPN_Traffic2DHL
As we can see the trafic is NAT-ed . Next step is to check the NAT-policy:
#
nat-policy
rule name policy_nat
source-zone trust
destination-zone untrust
action nat address-group outsideip
rule name LocalNAT
source-zone local
destination-zone untrust
action nat address-group outsideip
#
Seeinng this we can conclude that all the traffic that is comming from inside 192.168.X.X network is NAT-ed to outside(untrust) with the IP 62.159.X.X. This meens that the ACL is not maching any packets:
acl number 3003
rule 5 permit ip source 192.168.X.X 0 destination 10.4.X.X 0.0.3.255
To match the ACL 3003 we have to change the NAT-policy :
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.X.X 0.0.0.255
destination-address 62.159.X.X 0.0.0.255
action no-nat
quit
#
Like this the data will match the ACL that is binded with the VPN tunnel.